Cobalt Strike Aggressor Script that Plays Machine/AV/EDR Recon.
Writer: Jess Hires
As a red-team practitioner, we’re forever using equipment that try to fingerprint information about a compromised software, ideally in one of the vital important stealthy means conceivable. A few of our standard tooling for this began getting flagged by the use of EDR merchandise, because of the usage of Space house home windows CLI instructions. This aggressor script targets to unravel that downside by the use of easiest probing the software using local registry queries, no CLI instructions.
reg.cna into Cobalt Strike using the Script Supervisor. Then right-click at the beacon you want to run registry recon on, and make a selection
Recon, or kind
regenum into the beacon console.
How does this art work?
Essentially, using Cobalt Strike’s
breg_queryv purposes. Then, all beacon output is hijacked with
beacon_output, looking for specific values. When a just right are compatible is made, the output could be highlighted right through the beacon output. Since there’s no
beacon_output_reg or one thing similar, like
beacon_output_ps, all output will have to be captured for parsing.
What if my AV/EDR product is not detected? / How can I be in agreement?
That is anticipated. We could not take a look at for each AV/EDR resolution, and we knew that many could be lacking. You’ll be in agreement us out by the use of filing a GitHub factor at the side of the next data:
- If this is a Machine/AV/EDR get admission to
- The decide of the product
- Related registry entries that can be utilized to needless to say ID the product